How To Scan And Clean A Hacked WordPress Website? (10 Steps Suggested By WordPress Experts)

How To Scan And Clean A Hacked WordPress Website

Getting your WordPress website hacked is one of the worst situations you can be in as a website owner. You can lose your traffic, website ranking, lose your trustability, etc. It is one of those nerve-wrecking situations where you need to take immediate steps. And if you can’t act quickly, you will risk losing everything.

So, are you feeling your WordPress account has been hacked? Have you noticed any strange changes in your website. If you have the same questions, then you need to know how to scan and clean a hacked WordPress website. 

Knowing about how to scan and identify WordPress websites, gives you a lot of obvious benefits. For example – every day more than 30,000 WordPress websites are being exposed to hackers. In this article, I will elaborate on how to scan and clean a hacked WordPress website and how you can protect yours as well.

Need A Fast Expert Solution At Reasonable Price? Here’s One

MalwareCare is a fast growing Cyber Security company based in the USA providing expert WordPress security services around the world. Services like – Penetrating Testing, Website Security, WordPress website checking, Website Auditing form the core specialities. 

With experienced WordPress experts, MalwareCare performs a rigorous test on the client’s website until the problem is fully neutralized. Head over to their website to find one the most timely service, active response, useful expert advice, and all within an affordable price range.

Signs Of A Hacked WordPress Website

WordPress website malwares are designed to stay hidden, yet cause lethal damage to your website. Here are some of the symptoms to look out for:

  • Spam results in Google SERP
  • Site redirected to another URL having malicious content
  • Website contains links to spam sites that seems unremovable
  • New pages that are not recognizable on Google search
  • Shows Google warning about the site being hacked
  • Site shows a red alert when scanned by third-party apps.
  • Site is listed as UNSAFE on Google’s Safe Browsing Site Status tool
  • Changes on the website backend
  • Web hosting issues
  • Performance issues
  • User experience issues
  • Disruption in analytical patterns

How To Confirm Your WordPress Website Is Hacked?

APPROACH #1: Check Your WordPress Root File

Not all of your WordPress files will be affected by malware if it gets hacked. Check the core files like – wp-admin, wp-include, and the root folders

The quickest way to check the integrity of your WordPress files is to use the diff command from the terminal. However, you can also check your files through the SFTP if you’re not comfortable using the command line. If there’s no modification, then your site is clean.

APPROACH #2: Search For Recently Modified Files

Recently modified files lay down the path for greater harm to a website. Here is how to check if your files have been modified or not.

How To Manually Check Recently Modified Files in WordPress:

  1. Log in to your SSH terminal or in your FTP client portal
  2. If you are using SSH, type the following command to see modified files in the last 15 days:
					$found./-Type f-m time -15

      3. If you are using SFTP, then view the date in the modified date column. 

      4. Note the files that have been changed recently.

How To Check Recently Modified Files Through the Command LIne In Linux:

  1. Open the terminal
  2. Type –
					$find/etc - type f-printf '%TM-%tD%TT%P\ n' | Sort -r

     3.  To view the directory files, type –

					$find/et-printf '%TM-%tD%TT%P\ n' | Sort -r

How To Check Recently Modified Files From The cPanel:

  1. Log into your cPanel and go to File Manager
  2. Go to your site’s home directory and select the option ‘Last Modified’
  3. See the list of all updated files along with the modification date on top.

How To Check The Google Diagnostics Page:

If Google blacklists your site for malicious content, there is reason to believe that your site is compromised. Let’s take a look at how to chek the status of your website on Google Diagnostics page:

    1. Go to the Safe Browsing Site Status website.
    2. Enter the URL and search the site
    3. Check for site information, site redirects, malicious code injection, etc.
    4. Test Details: Confirmation of whether there is malicious code in the website backend

What Steps Should Be Followed to Fix A Hacked WordPress Website?

Expert Tip:

The fastest and the most ideal way to remove malware from a website can be done by comparing a backed up version of your site and your current website. You can do this using Diffchecker. Compare the two versions and if you find some changes, use your backup version to re-upload the site. This is the fastest way to get your site functional again.

Note of Caution:

The steps we are going to mention here requires knowledge about WordPress file structure and databases. So, if you are familiar with editing database tables or make basic changes using PHP, then this process will be easier for you. In addition, you will need to access your file structure via the SFTP/FTP (Filezilla)/SSH.

Besides, here are some steps you need to follow to make sure your site is clean and free from malware:

1 - Clean Hacked WordPress Files

Step #1: Clean All Hacked WordPress Files

  1. Check the version of your WP website from wp-includes/version.php
  2. Now, go to WordPress official website, download the same version of the wp-includes/version.php file
  3. Extract the WordPress installation file on your computer
  4. Log into your WP file structure through SFTP or FTP (Filezilla) and replace the version.php file
  5. Replace each of the infected/changed files with the new one.

Step #2: Clean All Hacked WordPress Plugins And Theme Files (Manually)

  1. Download a new copy of your selected plugin from WordPress official website
  2. Extract the plugins/theme on your computer
  3. Log into your WP theme/plugin structure through your SFTP/FTP or using the cPanel access provided by your hosting service provider.
  4. Replace the files on plugin/theme folder within ./wp-content/plugins or ./wp-content/themes with a new copy
  5. Open any suspected files using a text editor
  6. Remove malicious code from custom files
  7. Run the file to see if it works normally.

Step #3: Clean All Hacked WordPress Plugins And Theme Files (From WP Dashboard)

  1. Log into your WordPress dashboard
  2. Go to Installed Plugins
  3. Deactivate and delete installed plugins
  4. Install the same plugin from the original source
  5. Install and activate the plugins/theme

2 - Clean Hacked WordPress Database Tables

Removing malware from your WordPress database requires access in your database admin panel to edit the database. There are some great tools like – PHPMyAdmin or Adminer for this job.

Step #1: Remove A Malware Infection From Your WordPress Website (Manual Process)

  1. Log into your database admin panel.
  2. Create a database backup before making modifications
  3. Look for suspicious data injections like – spam keywords, malicious links, etc.
  4. Open the row from the database editor like PHPMyAdmin
  5. Manually remove suspicious content
  6. Verify the consistency of your changes.

Expert Tip

Beginner WP users can use the payload information given by the malware scanner to solve the problems. However, an intermediate or an expert user generally looks out for removing common malicious functions like – eval, base64_decode, gzinflate, preg_replace, str_replace, etc.

3 - Secure Your WordPress User Accounts

Secure user accounts are important to stop malicious users from exploiting. Hackers often try to replicate fake admin users or FTP users to gain access in your WordPress admin dashboard at a later date. This makes it vital to secure every entry point of your website end-to-end.

I say this because, if a site is cleaned and yet carries a malicious unidentified user, then there is a good chance that the site will be reinfected. Remove access from the following places to secure your user accounts:

  1. FTP Users
  2. SSH Users
  3. WP ADmin Users
  4. Additional Database Users

Step #1: Remove Suspicious Users From Your WordPress Website (Manual Process)

  1. Create a backup of your WP site and database.
  2. Login to your WP account.
  3. Go to Users.
  4. Find suspicious new user accounts
  5. Drag the mouse over the questioned account and click Delete.

Expert Tip

Experts suggest that each WP site should have one admin user and set roles for the other users with limited access. For example – editor, contributor, author, etc. In this way, you can limit the extent of malware infection on your site. If the hacker cannot access the admin account, then you can only remove the suspicious users.

Some malware infections will automatically add suspicious email accounts provided the accounts are available on the hosting platform. So, it is better to check the list of email addresses and remove both suspicious email addresses and accounts if possible.

4 - Remove Suspicious WordPress User Accounts

A backdoor is one of the most attempted ways through which a hacker will try to access your site. If a hacker gains access into your site, they will try to create a secret way to get back again.

Usually, backdoors are concealed within core WordPress files having the same names but kept in the wrong directory. For example – hackers can create a backdoor in your wp-config.php file, your directories file wp-content/themes, wp-content/plugins, and wp-content/uploads.

Plus, here is a list of the most commonly attacked PHP functions:

  • base64
  • Str_rot13
  • Gzuncompress
  • Eval
  • Exec
  • System
  • Assert
  • Striplashes
  • Preg_replace (with /e/)
  • Move_uploaded_file

Expert Tip

Most of the malicious code seen in WordPress uses some form of encryption to avoid detection. Although premium themes and plugins use encoding in their code to avoid code leakout, but it is quite rare to see encryptions being used in the official WordPress repository.

And besides, the given list of functions are also used by plugins, so be sure to test out the code before and after removing it to make sure that code does not affect any of the other WordPress components.

5 - Remove Malware Warnings

If you’ve been marked by Google as a potentially harmful website, then you can request for a review again after fixing it properly. This can be done by filling up a form for each of the blocklisting authority that blocked your website.

Step #1: Remove Malware Warnings On Your Website

  1. If your website has been blocked by your hosting provider, ask them to remove the suspension after getting it fixed.
  2. Fill in a form for a review request for each authority blocking your website. This list includes – Google Search Console, McAfee SiteAdvisor, Yandex Webmaster, etc.

Expert Suggestion

At MalwareCare, we submit a review request to the web authority on your behalf. Usually, when a reputed security platform places a request, the impression is that the site is secured and in capable hands. This impression can speed up the review process significantly.

For example – if you have made a review request for web spam attacks, it can take up to two weeks to grant your request.

In Conclusion

To conclude, it is essential to know about WP security and also keep a security option open for your website(s) in case of emergencies. Most people are still unaware of end-to-end security measures which is why reliable web security companies like MalwareCare are vital for site owners.

Overall, in this article I tried to put out an informative description of how to scan and clean a hacked WordPress website.

In all honesty, I recommend MalwareCare from personal experience through a colleague at work. They provide a reliable, top-notch, and timely service across major cities in the US, and in the UK and save the lives and money of countless people. So, if you have questions, make sure to check them out.

Sharif Hossain Syeed

See How We Can Secure Your Assets

Enter your email and our team will reach out to you.

Copyright © 2022. All rights reserved;